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ABSTRACT :The techniques of proxy signature and fault tolerance are two important issues in modem 
communication.Proxy signature scheme permits an original signer to delegate his/her signing capability to a 
proxy signer, and then the proxy signer^generates a signing message on behalf of the original signer. To 
communicate secuyelyqver an unreliable public network, the two parties must be able to authenticate one 
another and agree on a secret encryption * key. Authenticated key dgrtyment protocols have an important role in 
building a secure cunpnunications network between the two parlies. I In this paper, we propose a secure proxy 
signature scheme with'J’ault tolerance n\\ran_ effic ie nt and seow&ahhentfc’nted key agreement protocol based 
on the discrete logarithm problem. Itin- 'scheme does not require any extra mechanism, such as checkpoints, to 
achieve the property offa’tftt tolerance .'1 I 1—1 ' " ■- ■— 
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I. INTRODUCTION 

Due to theqlipid growth in modern communication systen s, fault tolerance and data security are two 
important issues in a secure .transaction. During the transmission of Ha a between the sender and receiver, errors 
may occur frequently. ThefcPoPc,: the scpcler must re-transmit the c ata to the receiver in order to correct these 
errors, which makes the system very feeble. DijithEsignature scheibeS iwith fault-tolerance make it possible for 
error detections and corrections during the proces5es"W-data computations and trajigmissions. Previously, Zhang 
[1] and Lee and Tsai [2] have respectively propos'ed two efficient, rault-toleran|'schemes based on the RSA 
cryptosystem. Both of them can efficiently check the sender’s [identity and keep the confidentiality of the 
transmitted document. Furthermore, they can detect the errorS -and correct them. However, these schemes have a 
common weakness in security. Huifang Xue [3] has improved the-ipCchanisfn" of Lee and Tsai by providing 
extra security against Chosen Ciphertext Attacks (CCA) using a permutation.fnaU'ix. If a malicious looks into 
the message he will-find it difficult to understand or-calculate checksum/ hash value due to the randomization of 



permutation i 

proxy signature scheme 

allows an original signe: to delegate his/her signing right to a J7n,)xy_signpr to sign the message on behalf of an 
original signer. LatQrf file-yen fief, ivh'lch knows" the' plrbl ickcys ftfjhfc original'Signer and a proxy signer can 
check a validity of a proxy signature issued by a proxy signer. The classification of the proxy signature is 
dependent on the basis of delegation, namely full delegation, partial delegation, and delegation by warrant, and 
presents a well-organized strategy.In the full delegation, the proxy signer signs document using the same secret 
key by the original signer. The drawback of proxy signature with the full delegation is the difficulty to 
distinct/differentiate between the original signer and the proxy signer. 

In the partial delegation, the proxy key is derived from the secret key of the original signer and hands 
it over to the proxy signer as a delegation capability. Due to the partial delegation, the proxy signer’s signing 
capability cannot be restricted, so he/she can misuse the delegation capability. The weaknesses of full delegation 
and partial delegation are eliminated by the partial delegation with warrant. A warrant explicitly states the 
signer’s identity, delegation period, and the qualification of messages on which the proxy signer can sign period 
and the types of a message on which a proxy signer can sign. 

There are two types of partial delegation; with warrant protected and unprotected proxy signature 
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schemes. In the unprotected proxy signature scheme, a proxy signature is generated by both proxy signer and 
original signer. In this case, the verifier cannot distinguish the identity of a signer. In the protected proxy 
signature scheme, a proxy signature is generated by the proxy signature key of an original signer and also with a 
private key of a proxy signer. In 1997, Kim et al. [5] proposed a scheme using the concept of partial delegation 
with a warrant to restrict the proxy signer signing capability. In 1999, Okamoto et al. [6], for the first time, 
proposed a proxy unprotected signature scheme based on RSA scheme. A proxy-protected signature scheme 
based on the RSA assumption was proposed by Lee, et al. in 2001 [7], [8]. In 2009, Shao [9] proposed the 
proxy-protected signature scheme based on RSA. In 2011, Popescu [10] introduced a secure proxy signature 
scheme with delegation by warrant, and thescheme is based on the difficulty of solving the discrete logarithm 
problem (DLP). 

The two parties must authenticate one another and agree on a secret encryption key to communicate 
together securely over an unreliable public network. To achieve this, key establishment protocols are applied at 
the beginning of a communication session in order to verify the identities of both parties and build a common 
session key. Authenticated key agreement protocols have an important role in establishing secure 
communications between the two parties over the open network. The most famous protocol for key agreement 
was proposed by Diffie and Heilman which is based on the concept of public-key cryptography (DL) [11]. 
There are two types of the Diffie-Hellman protocol, namely static and ephemeral. In the first one, the parities 
exchange static public keys, and in the second, they exchange ephemeral public keys [12]. The important feature 
of the designed protocol is that the established session key is formed as a combination of static and ephemeral 
private keys of two parties. 

This paper demonstrates the effect of an efficient and secure authenticated key agreement protocol on a 
proxy protected signature scheme with fault tolerance based on DLP. The designed protocol for the 
authenticated key agreement is secure, efficient, and provides authentication between two entities before 
exchanging the session keys. The remaining parts of this paper are organized as follows: In Section II, we 
elaborate security properties of the proxy signature scheme. Next, we discuss the designed protocol in Section 
III. In Section IV,we discussluon and Chin Chang’s Scheme. In section V, we proposed our scheme. We 
analyze the security properties and common attacks of our proposed scheme in Section VI. Finally, in Section 
VII, we give our conclusion. 

II. Security Requirements of Proxy Signature 

The security requirements for any proxy signature are first studied in [4] and later were improved in 
[7], [8]. According to them, a secure proxy signature scheme is expected to satisfy the following five 
requirements: 

1. Verifiability: A verifier can be confident of the original signer’s agreement on the signed message from a 
proxy signature. 

2. Strong unforgeability: Only the designated proxy signer can generate a valid proxy signature. 

3. Strong identifiability: The identity of the proxy signer can be determined by any verifier from a proxy 
signature. 

4. Strong undeniability: The proxy signer cannot repudiate the signature creation against anyone else, once 
he/she creates a valid proxy signature on behalf of an original signer. 

5. Prevention of misuse: The responsibility of the proxy signer should be determined explicitly if he/she 
misuses the proxy key for the purposes other than generating a valid proxy signature 

III. New Key Agreement Protocol 

The used protocol for authenticated key agreement [10] provides authentication between the two 
parties A and B before exchanging the session keys. The protocol consists of three phases; The Registration 
Phase, The Transfer and Substantiation Phase, and The Key Generation Phase. Fig. 1 shows the overall 
operation of the new protocol.The system picks short-term private key r A ,r B , they are random integers 

2<r A ,r B <pl and GCD (r,pl) = 1. pi = (/?-1) where p is a large safe prime p=n'p' +1 ( n ' is a small 
prime number, usually taken by 2 and p' is a large prime number usually at least 1024 bits). t A ,t B are short¬ 
term public keys where t A = g ' mod p and t B = g mod p. g is a generator of Z *. Furthermore, the system 
picks long-term private keys x A ,x B they are random integer where 2 <x A ,x B <p 1 and GCD (jc, p l) = 1 then, 
computes long-term public key y A , y B where y A =g XA mod p and y B = g ' " mod p , K AB is the shared 
secret key calculated by the new secure protocol between the two parties A and B. 
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Fig.l. Overall operation of the proposed protocol 

“ \ '■ 

In the first step, the number of scalar multiplications required is one, the number of exponentiation 
required is one, and the total number of sending message is one. In the second step, each user will be verified 
from the other one because in the first step each user uses the short-term private key which belongs to him/her in 
calculation. 

'l ■ _if-* 1 E ( ‘ !■ 

IV. Iuonand Chin Chang’s Scheme 

Iuon and Chin Chang’s scheme [15] is developed from the concept of meta-ElGamal signature scheme 
[14] and the concept of Zhang’s fault-tolerant signature scheme. In ElGamal digital signature scheme, a system 
first chooses a large prime p and a generator g, such that g eZ* with order p — 1. Both p and g can be shared 

among a system of users. To generate a key pair, the signer A first chooses a random number x A , X A e Z 

" I ' 1 1 

and calculates y A = g '' mod p . A keeps x A secret and publishes v A . Suppose that the signer Alice will send a 
message with her signature to the receiver Bob. Alice possesses a secret key x A and a public key y A . The 
proposed scheme can be divided into two procedures: 


1. The signature generation procedure. 

2. The fault tolerance and signature verification procedure. 


r 


I 

Jj 


4.1 The Signature Generation Procedure 

1. Alice first divides the transmitted message M into numerical 3x3 message matrices X ; 's , such that 
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Where m i ., 1 < i < 3,1 < j <3, is a message block and m, ; e Z /) _ 1 

2. For each message matrix X, , Alice calculates its signature and constructs an expand matrix D t , such that 


D,= 


m ii 

m l2 

m ii 

6 

S l 


m 2 1 

m 22 

m 23 

r 2 

S 2 

^ 2 

m 3l 

"hi 

m 33 

h 

S 3 

^3 

r l 

2 

r 

r 3 




s l 

s 1 

3 

S 




t l 

t 2 

t 2 





( 2 ) 


Manuscript id.500503460 


www.iistre.com 


Page 108 













A Secure Proxy Signature Scheme with Fault Tolerance Based On Discrete Logarithm Problem 


The r j ,s i ,t i ,r‘ , s' and t ' can be calculated by using the following equations 


t j = '^m ij mod p— 1, 


r = g k mod p , (3) 

(4) 


i =i 


s. =(H(m n )-t; -H(m i2 )-r i ■x A )(H(m i3 )-k i ) 'mod/?—1, 

r> = g kj mod p , 

3 

t j = mod p -1, 


s j ={H (m lj )-t i -H {rn 2j )-r i ■ x A )(H (m 3j ) ■ k J ) 'mod/?-l, 
where HQ is a public one-way hash function. 

4.2 The Fault Tolerance and Signature Verification Procedure 

1. Bob first detects errors by checking the equations 


(5) 

( 6 ) 

(7) 

( 8 ) 


= y m,, mod p and;' = y m n mod p 


(9) 


j=i 


If there is an error in m uv , 1 <u ,v <3 , we must have that t u . mod p — 1 and f ^ y m jr mod p —1 


i=i 

V 1 


Therefore, the error could beeasily detected. 

2. After the error is detected in m m ,, it may be corrected by using either one of the following two equations 

m IK —t u mod/? 


= f — y>7i.„ mod/? 


3. After correcting the errors. Bob has to verify the validity of the recovery and its corresponding signatures by 
checking whether 


g H( - m ndi mod p 


H ( m i2> r . ^^(" 1 , 3 ) :s i 

H(n hj yd _ 


( 10 ) 


I 


g 






mod p 


T, 

iV 


( 11 ) 


or not. If the above verifications are positive. Bob will believe that the contents of the recovered messages are 
valid. Otherwise, Bob can choose not to accept the receipted messages. 


V. 


The Proposed Proxy Signature Scheme 


The proposed proxy scheme is focused on the proxy protected proxy signatures with the new 
authenticated key agreement protocol with fault tolerance based on the DLP. The system is divided into four 
phases: System setup, Proxy key generation. Proxy key verification, Proxy signature generation and Fault 
tolerance and Proxy signature verification. 

5.1 System Setup 

It is supposed that the original signer A invites the proxy signer P to perform signing on behalf of 
him/her, and the verifier or the receiver B verifies the validity of the generated signature. Also, suppose that /? is 
a large prime number, and g is a generator for Z* . ID A and ID P are the identity of the original signer and the 

proxy signer, respectively. x A ,x P eZ‘ are the private key of the original signer and the proxy signer, 


respectively, then compute public key y A and y p where, y A = g '' mod p and y P = g* F mod p are the public 
keys of the original signer and proxy signer, respectively. K AP is the shared secret key between A and P 
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5.2 Proxy Key Generation 

1. The original signer entity Afirst divides the transmitted message M into numerical 3x3 message matrices 
and do the following: 

• Selects an arbitrary integer value k t ,k J eZ j 

• Find r t =g k ‘ mod/? and = g k mod/? 

• Calculate warrant »; n , where, m w must be created from ID A , ID P and other data on the delegation. 

• Compute h(m w U r j )and h(m w Qr-') 

• Find a i =k i +x A *(h(m w Dr i )®K AP )modp—l, a j =k j +x A *(h(m w 0r J )®K AP )modp— Hot all 


1 <i <3,1< j <3. 

• Send (m w , r , r 1 , K AP , cr , cr J ) to the proxy signer in the secure channel. 

2. The proxy signer checks the validity of (m w ,r t ,r j ,K AP ,a i ,a j ) by verifying whether or not the following 

equation holds g a ‘ = r i y^ m " a, ' > ® K " and g a =r*y h A m ” ' > ® k a p . If the verification is successful, the proxy 
signer then computes an alternative proxy private/public key pair <r and y pr , respectively, such that 
cr = cr. +x p *(h(m w Dr. ) ©AT ap ) mod/? -1 
y \ = g a '” mod /? (12) 


cr 1 =a‘ +x p *(h(m w Dr 1 ) ®K A \ )mod/?-1 


y'L = 8 a "‘ mod p 


*1 


(13) 


5.3 Signature Generation 

Now, the proxy signer P will sign a message M on behalf of the original signer, he uses a to perform a 
signing operation. The proxy signature on the message M is as follows 
5,- =(H(m il )-t i -H(m i2 )-a i ■ y ){H (m i3 ) ■ cr ipr ) _1 mod/?-1, 


(H (m lj )-t J -H(m 2i )-cr J ■ y p(H (m 3/ )-<) mod/? -1,(14) 


l 2j- 


3 j- 


irT 1 ' 


( 


It 


Where t i — ^m ;/ mod p — 1 and t J — y mod/? —1, For all 1 < i <3,1< j <3 

j= i i=l 

5.4 Fault tolerance and Signature Verification 

1. The receiver B first detects errors by checking the equations 

t t mod/? and t 1 = J'm,, mod p (15) 

?= i ;=i 

3 3 

If there is an error in m lK ,\<u ,v <3 , we must have that t u * ^ m,„ mod /? — 1 and f ^ ^mod /? — 1 




.Therefore, the error could be easily detected, 
.fter the error is deteci 

= K -IX 'n«d /? 


2. After the error is detected in m uv , it may be corrected by using either one of the following two equations 


= t v -'y'm P mod/? 


(16) 


H(m n )-tj _ H(m n )*j 
S y ‘pr 


3. The receiver ^receive the signed message and he has to check whether or not the following equations hold: 

■(r. ■y A mw X * '~ )y,pr mod/? 
g H ^ y,j -(r J ■y h A ^ ri) ) H(m2i>yJpr modp 

y 'p r = r(y A y p r^ K " mod/?(17) 
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VI. Security Analysis 

In the following, we show that the proposed schemes satisfy the security features, namely, verifiability, 
strong unforgeability, strong, undeniability, strong identifiability, and prevention of misuse. 

6.1 Verifiability 

According to the step 1 of the fault tolerance and the signature verification procedure, if an error occurs 
in nty , therefore t. ^ m i t + m i2 + m i3 mod p and t ' ^ m Xj +m 2j +m iJ mod/7. The fault message, can be 

recovered by computing, if the rest of the messages m ik ' s where k = I to 3 and k ^ j, in the i row are correct. 
On the otherhand, if the rest of the messages m kj 's , where where k = I to 3 and k in the j"' column are 
correct, the fault message ni tj also can be recovered by computing m tj = t J - (^, _ m tj ) mod p .Therefore, 

an error is correctable only when no other errors simultaneouslyoccur in the same row i and the same column j. 
In the proposed scheme, we can correctfour errors in a message matrix X at most. Figure 2 illustrates the 
correctableconditions when four errors simultaneously occur in a message matrix. Therefore,all the four errors 
can be corrected by using the check-sums in either the row orthe column direction. 





I 


Fig. 2. The correctable conditions when there are four errors simultaneously occurring 

in a message matrix 

,_, H, f A lA 

According to the step 2, the receiver B can check the verification equation: 

y P r = S ap ' mod P 
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= g k (g XA g x n Hm “ ar)m * F modp 
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6.2 Strong Unforgeability 

In this scheme, the proxy signature is created with the proxy signer's secret key x p and delegated 
proxy key a . The proxy key is bound with the original signer's secret keyx A and the session key K u , . No one 
(including the original signer) can construct the proxy signature. If the original signer tries to construct the 
proxy private key from a proxy public key, he/she will need to solve the DLP. However, the DLP is difficult. 
Moreover, the verification of li(m v □ r)®K AP with the signed message prevents the dishonest party from the 
creation of forged proxy signatures. Therefore, any party, including the original signer cannot forge a valid 
proxy signature, and thus the proposed scheme satisfies the unforgeability property. 
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6.3 Strong Identifiability 

Any verifier can determine the identity of the proxy signer from the proxy signatures created by the 
proxy signer. Therefore, in the proposed scheme, any verifier can identify the identity of the proxy signer from 
the proxy signature generated by himon the message M. 

6.4 Strong Undeniability: 

In the proposed scheme, the involvements of both original signer and proxy signer are determined by 
the secret keys x p and x A from the proxy signature. Thus, the proxy signer and the original signer cannot deny 
their involvement in a valid proxy signature. Consequently, the scheme satisfies the undeniability property. 

6.5 Prevention of Misuse 

In the proposed scheme, the proxy signer cannot forge the delegated rights. The responsibility of the 
proxy signer is determined from the warrant m w in the case of the proxy signer's misuse. Therefore, the original 
signer's misuse is also prevented because he cannot compute a valid proxy signature against the proxy signer. 
Next, we show that our scheme is heuristically secured by considering the following five most common attacks. 

Known-Key Security (K-KS):In the proposed scheme, if an established session key between original 
signer and proxy signer is disclosed, the adversary is unable to learn the other established session keys. In each 
run of the proposed scheme between the two parties, a unique session key which depends on r A and r p should 
be produced. Therefore, the adversary cannot compute K AP and cannot calculate 
<j = k +x A * (hini't, □p-)©£ AP )mod/>-l. 

(Perfect) Forward Secrecy: If both secret keys of two parties are compromised, the adversary is 
unable to derive the old session keys established by two parties. The protocol also possesses forward secrecy. 
Suppose that adversary compromises the private keys x A and he/she cannot calculate 
<j = k +x A *{h(m w □/)© K ap ) mod p — 1. However, the secrecy of previous session keys established by the 
honest parties is not affected,because an adversary who captured the private key x A should extract the 
ephemeral keys r A or r p from the exchanged values to know the previous or next session keys between them. 
Thus, he/she still fails to produce a send to proxy signer. However, this is DLP. 

Key-Compromise Impersonation (K-CI):When the private key of original signer is compromised, it 
may be desirable that this event does not enable an adversary to impersonate other entities to the original signer. 
Suppose th at x , is disclosed. Now an opponent who knows this value can clearly impersonate the original 
signer. In the proposed scheme, the opponent cannot impersonate the proxy signer to the original signer and 
computecr /)r = cr + Xp *(/z( 7« m . Dr)©^plmodp—1 without knowing the proxy signer’s private key x p . 

From the success of the impersonation, the opponent must know the original signer’s ephemeral key r A . So, in 
this case, the opponent should extract the value r A from t A = g rf mod 77 ; however, he/she cannot calculate the 
sharing key, this is DLP. 

Unknown Key-Share (UK-S):The original signer A cannot be coerced into sharing a key with the 
proxy signer P without the knowledge of the original signer, i.e., A believes that the key is shared with some 
entity C ^ P , and P believes that the key is shared with A . The used protocol prevents unknown key-share. 
Corresponding to the proxy signer’s public static and ephemeral keys y p ,t p , an adversary cannot register 
proxy signer's public keys y p ,t p as its own, and according to the assumption of this protocol that d 2 has 
verified that P possesses the private static and ephemeral keys x P , r p , respectively. So an adversary cannot 
deceive the original assuming that a = cr+x p *h(m u , Or)®K AP mod/? — 1 was originated from him. 
Therefore, the original signer cannot be coerced into sharing K AP with the proxy signer without his/her 
knowledge. 


VII. Conclusion 

In this paper, we considered the problem of combining proxy protected signature sheme and fault 
tolerance with a new key agreement protocol based on DLP. Our scheme does not consider the proxy revocation 
mechanism. The proposed scheme satisfies the capability of correcting four at most errors for each 3x3 message 
matrix. On the other hand, the scheme satisfies the necessary security requirements of proxy signature and has a 
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secure channel to deliver the proxy key, through the designed new protocol that meets the security attributes 
under the assumption of DLP. 
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